CVE-2026-10886 — Critical use-after-free in Chrome

Critical · Use-after-free in FileSystem · reported to the Chrome VRP, Apr 21, 2026 · fixed in Chrome 149.0.7827.53 (stable)

Chrome release ↗ NVD record ↗ Chromium bug 505096898 ↗

In April 2026 I reported a use-after-free in Chrome’s FileSystem implementation to Google’s Chrome Vulnerability Reward Program. Google assigned it CVE-2026-10886, rated it Critical (the most serious tier Chrome uses), and shipped the fix in the Chrome 149 stable release on June 2, 2026.

Google's Chrome Releases blog header — Where Chrome ships its security news. Not a venue I expected to see my name in.

The bug

A use-after-free: memory is released and then accessed again. When an attacker can reclaim and shape the freed region, that turns into memory corruption, and at Critical severity in Chrome it’s the kind of issue that can lead to code execution. This one lived in the FileSystem component.

The fix only reached the stable channel a week ago, so I’m keeping the technical detail light while updates roll out. The canonical references are linked above.

The June 2 stable bulletin, listing eleven Critical CVEs, with CVE-2026-10886 credited to Andrew Boni — The June 2 bulletin. Eleven Criticals fixed that week; entry 505096898, the FileSystem use-after-free, is mine. The [TBD] is the reward — still pending.

Timeline

2026-04-21 — reported to the Chrome VRP (Chromium issue 505096898)
2026-06-02 — fixed in Chrome 149.0.7827.53 (stable); CVE-2026-10886 published

Check your version

You want 149.0.7827.53 or later. Open chrome://settings/help, or from the command line:

# macOS
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --version
# → Google Chrome 149.0.7827.53

Chrome updates itself, but the patch only takes effect after a restart.

A fuller write-up can wait until the fix has had time to spread.

The bug#

Timeline#

Check your version#

The bug

Timeline

Check your version